0 Replies Latest reply on Nov 13, 2013 12:05 PM by Sebastiao Santos

    JAAS security with JMS Queues and remote client

    Sebastiao Santos Newbie

      Hi Guys,


      I think I'm losing concepts about security and sending messages to a queue from a remote java client.


      In my server, I use some realms to authenticate users like:


                  <security-realm name="ManagementRealm">


                          <local default-user="$local"/>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>



                  <security-realm name="ApplicationRealm">


                          <jaas name="myJaasSecurityDomain"/>




      My ApplicationRealm is securing my web apps using a LoginModule with "code" database  and it's all ok. My ManagementRealm is protecting something like my native-interface and http-interface.


      I've deploied an queue with jndi "queue/PingQueue" and its respective remote name "java:jboss/exported/queue/PingQueue" in my standalone-full.xml and I want to send a message from an remote java client for learning purposes.


      First problem: to do JNDI lookup of ConnectionFactory and Queue, I can only use ManagementRealm on the remoting subsystem as:

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ManagementRealm"/>



      In this way, I can do JNDI lookup of ConnectionFactories and Queues using username/password that are registered on the mgmt-users.properties, but, if I change the security-realm of the connector to  ApplicationRealm, I can't do lookup using username/password that exists on ApplicationRealm.


      Second problem: to create connection factories using 'connectionFactory.createConnection("username", "password")'  I'm only able to use ApplicationRealm.


      When I try to send message to a queue, Hornet says me that "...myUser doesn't have permission='SEND' on address jms.queue.queuePingQueue".


      Question 1: Can I use ApplicationRealm to secure my remoting subsystem or am I doing this wrong ? To use ApplicationRealm I need to transform my username/password with something like JaasCallbackHandler or Hash MD5 or other ?


      Question 2: How can I fix the Queue security so I can put messages on that queue/PingQueue  ?


      Question 3: Is my setup ok ? My standalone-full.xml has some design problems ?


      Below some code I'm using outside container, from my java cliente. I'm using jboss-client.jar as library and JBoss 7.1.3. I'm running my cliente from Eclipse with JBoss Tools.


      Thanks in advance,



                  final Properties env = new Properties();


                  env.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL, PROVIDER_URL));

                  env.put(Context.SECURITY_PRINCIPAL, System.getProperty("username", DEFAULT_USERNAME));

                  env.put(Context.SECURITY_CREDENTIALS, System.getProperty("password", DEFAULT_PASSWORD));

                  context = new InitialContext(env);

                  connectionFactory = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");

                  destination = (Destination) context.lookup("queue/PingQueue");

                  connection = connectionFactory.createConnection("myUser", "myPassword");

                  session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

                  producer = session.createProducer(destination);


                      message = session.createTextMessage(content);